Keeping up with the myriad of cyber security requirements expected of today’s financial firms is a daunting – and sometimes unachievable – task. This list continues to grow in size and scope, and remembering how often to perform tests or when to change passwords is a growing challenge for CTOs and business execs responsible for technology.
To assist in guiding your firm with its cyber plan implementation, we’ve outlined a basic calendar of security reminders to help you stay on track. Listed in order of frequency, here’s how often you should plan to take these security steps:
3 months: Change your passwords.
At least every 90 days, we recommend changing your network, system and application passwords to prevent intruders from gaining unauthorized access. Remember: password creativity is critical, and password re-use is a big no-no.
3-6 months: Conduct a simulated phishing exercise.
Phishing is one of the most effective, and thus dangerous, social engineering scams in use today and threatens to deceive and manipulate users into opening gateways, sharing confidential information or, in many cases, making financial transactions. Simulated phishing exercises (whether conducted by your firm itself or via a managed service provider) are the most effective way to test users’ knowledge of email threats and train them to be cyber aware. Most firms opt to perform quarterly phishing tests, but semi-annual exercises are commonplace also.
We recently sat down with Matt Donahue, Security/Data Privacy Consultant and Steve Banda, Senior Product Manager, to discuss cyber security trends in the family office space, as well as what steps these and other wealth management firms can take to prevent cyber-attacks. NOTE: This article originally appeared in MarketCurrents' Technology Trends - Family Office Series 2017.
What are the biggest cybersecurity threats investment management firms face?
There are constant threats facing organizations internally and externally, especially within the financial industry. One of the biggest issues is that the cyber threat landscape is continuously evolving. Hackers are trying to compromise firms in a number of ways – from phishing and social engineering to ransomware. It’s becoming much like an arms race, where both sides (hackers and criminals vs. security firms and CISOs) are diligent, organized, and well-funded, each gaining and losing the upper hand on a daily basis.
From an internal perspective, threats emerge as a result of employees being inadequately trained, falling prey to social engineering scams or not following corporate policies. They also come from technology gaps including outdated IT systems, lack of patch management and other shortcomings that could have been addressed by vulnerability assessments.
Building on the importance of vulnerability assessments, firms should recognize that hackers are always scanning to identify holes and gaps that may provide an opportunity to breach an environment. This risk reinforces the importance of technology security defenses including next-generation firewalls, intrusion detection and prevention systems (IDS/IPS) and penetration testing. Ultimately firms want to close gaps and make IT environments unappealing to hackers.
Earlier this week, our friends at Proofpoint released their 2017 Human Factor Report, which shines a light on the role individuals play in protecting organizations against cyber security threats. The trends highlighted in the report reinforce a number of ongoing trends we’ve written about before, notably the growing threat of phishing scams and business email compromise. Let’s review some of the key findings.
Hackers are consistently impersonating your CEO.
According to Proofpoint, business email compromise attacks increased 45% in Q4 2016 (compared to Q3). These types of attacks consistently involve hackers posing as firm CEOs and requesting wire transfers and sensitive material disclosures from CFOs and other internal contacts. Compromises of this nature can be extremely damaging – and avoiding them requires diligence on the part of individuals to execute checks and balances internally to review and approve any material handoffs or financial transactions.
Email isn’t the only way hackers are phishing users.
Email may be the most popular way to target individuals with phishing scams, but SMS/text scams are widely growing in popularity. Oftentimes, individuals are more keen to open messages or click on hyperlinks from their mobile devices, giving weight to these “smishing” scams. Additionally, social media phishing continues to grow. Sometimes known as “angler phishing”, in these cases, hackers pose at company support accounts and take advantage when users request support or customer service from various organizations. This is an easy way to goad users into sharing their credentials or clicking on malicious links/attachments – and Proofpoint reports an increase in occurrences by 150% in 2016!
The recent tragic attacks that occurred in London remind us all that we can never be too prepared for an emergency situation. Therefore we are republishing this article that provides some key reminders to help ensure the safety of your employees and the business continuity of your firm during these types of disaster scenarios.
Assessing the Scenario
Every scenario is different and lends itself to a certain degree of impact, whether it’s confined to an office building or a broader regional impact. Start with ensuring that your employees are accounted for and in a safe location. Then consider: will the events at hand impact their ability to continue with their jobs? Obviously, if the office space is affected, a secondary location may come into play, or firms may opt to allow employees to work remotely. Next, review critical business systems, data and resources. Are your data and assets up and running so employees can continue business functions? Are phone systems or email functioning properly?
Internal and External Communication
Depending on the severity of the situation, you’ll need to determine the level of communication to both internal and external parties. If the event or disruption will impact employees getting to or from the office or if the building is inaccessible, obviously you’ll need to notify personnel. If there may be an impact to the business itself (trading, for instance), you may want to communicate with external parties such as investors, business partners, and/or regulators. It’s helpful to have a communication plan in place to guide this process. And remember: all communications should be reviewed and approved by the individual(s) overseeing the business continuity program and the plans associated with it.
Categorized under: Business Continuity Planning
There’s a lot hackers can do to wreak havoc for private equity and other investment firms – and it extends far beyond forcing users to change their passwords. In fact, with their roguish hands on the right information, the consequences can be downright destructive for a firm’s business operations and integrity.
Systems & Network Access
Of course, with stolen passwords and login credentials, hackers can gain access to company systems and networks – not an insignificant feat. Unfortunately, we’ve seen many cases over the years where users rely on reused passwords across multiple systems – meaning when a hacker deciphers a password, it’s a profitable gateway beyond a user’s individual email account.
That said, within that email account alone, a number of critical dangers await. For example, inside your email, a hacker can access, send and delete communications at will, potentially intercepting company sensitive material, financial data or personal details they can use to further infiltrate your network.
They can also easily decipher the corporate hierarchy and capitalize on relationships with those responsible for company payments and financials. For instance, they may send a phishing email to your CFO, posing as you, requesting a fund transfer to a provided bank account number – and depending on your role within the firm, this could be considered routine and easily executed upon.
Beyond email, if a hacker gains entry to your firm’s network, they may also get their hands on company files, personnel information, financial reports, and more.
As your firm evaluates moving to the cloud – as most firms today will inevitably do – your list of priorities will likely include:
Regulatory and investor impact
Migration plans and operational effects
Hardware disposal and infrastructure changes
But another critical business area your firm should put some thought into is the effect of the cloud movement on your internal IT department (assuming you have one). What exactly happens to a firm’s IT team once it moves operations into a cloud environment? Is there still value in maintaining an in-house staff?
The simple answer is ‘yes,’ but the day-to-day responsibilities for those staffers may not look quite the same post-cloud. Outsourcing to the cloud continues to grow in popularity among firms small and large. With a fully managed service provider, everyday management is typically taken care of – leaving internal resources with a lot more time on their hands. But that doesn’t mean there’s no longer a need for an IT department. And it certainly doesn’t mean IT managers should be left to twiddle their thumbs.
In fact, according to our Private Equity CTO Survey, 93 percent of firms believe their Chief Technology Officer is becoming more important to their business. As the role of the CTO evolves, particularly in light of cloud adoption, many firms expect their CTOs/IT Directors to take on additional responsibilities.
In today’s market, the pressure from both investors and regulators is at a steady incline. Reporting obligations have grown complex, transparency is in high demand and compliance technology has become a vital component to a firm’s success. With various demands tug-o-warring hedge fund managers in multiple directions, a Client Relationship Management (CRM) platform could be the solution your financial firm has been searching for.
That is why firms are increasingly adopting Ledgex CRM, the revolutionary, stand-alone Client Relationship Management solution offered by our sister company, Ledgex Systems. Ledgex CRM is ideal for managing and tracking investor communications, sales pipelines, client relationships and capital movements. The highly configurable, centralized platform is tailor-made for hedge funds, family offices and asset allocators.
The product offers the sophisticated Client Relationship Management capabilities necessary to raise and retain more assets, maintain and grow clients, provide outstanding client service and meet heightened reporting requirements. Out of the box, the web-based solution delivers efficiencies, transparency and flexibility without increasing headcount or costs. By streamlining investor relationship management and capital activity, Ledgex CRM enables managers to optimize their time and focus on fostering relations and growing business.
Following is an excerpt from our whitepaper, Outsourcing Point-Counterpoint: Examining C-Level Perspectives at Hedge Funds and Private Equity Firms. If you want, click here to jump ahead and download the paper in full.
Outsourcing IT can be controversial across the C-suite. Your firm's CFO may see the move as financially responsible and a long-term strategic solution. Your CTO may have concerns about retaining control of the IT environment. Both sides have unique perspectives.
Just because CFOs/COOs and CTOs have different views into IT operations, outsourcing and the cloud, doesn’t mean there is no common ground. After all, both leaders ultimately want what’s best for investors and the firm. When you dig a little deeper, there are far more areas where CFOs/COOs and CTOs agree than where they differ when it comes to outsourcing IT. For example:
The outdated due diligence argument against going to the cloud has been turned on its head in the current regulatory environment. CTOs may feel they’re doing the appropriate due diligence to manage all the risks themselves. However, assessing your own risk is incredibly challenging. To thoroughly evaluate risk as well as address investors’ five, 10 or even 20-page due diligence questionnaires about technology, partners, vendors, cybersecurity and operations, CTOs need to devote enormous amounts of time – repeatedly. Risk assessments are not one-and-done tasks. Vulnerabilities, particularly cybersecurity weaknesses, should be assessed in depth every six months, and remediation of identified issues must be addressed.
Social engineering tools and tactics have transformed in recent years, and we often stress here on Hedge IT the importance of IT security, particularly when it comes to sophisticated phishing and spear-phishing campaigns via email.
One tactic we haven’t touched on is voice phishing (also known as ‘vishing’), which works towards the same ultimate goal – prompting an end user to take some kind of action that causes an exploit in the user’s system or a fraudulent wire transfer – except this time it’s done over the phone.
Voice phishing scams are growing in popularity, often catching busy users at the end of their work day with their cyber defenses down, hoping they’ll ignore the best practices they’ve learned and instead provide sensitive information to the person on the other end of the phone.
Here are a few recent examples of voice phishing scams we’ve seen:
IRS Robocalls. At the end of tax season earlier this year, many people found themselves fielding threatening calls from scammers posing as Internal Revenue Service employees insisting they’re owed money. Unfortunately, these robocall scams worked. According to the Treasury Inspector General for Tax Administration, more than 10,000 victims have paid a collective $55 million since October 2013. TIP: The IRS almost never contacts taxpayers via phone (or text, email or social media). If they want to get in touch, they’ll send you a letter.
Department of Motor Vehicles. Of a similar nature, vishing schemes have popped up across the US with victims receiving phone calls from supposed DMV employees requesting payments, social security numbers and debit card information. Texting and social media have also become popular avenues for these scams.
The WannaCry ransomware attack is slowing as IT teams across the globe work to deploy patches, disable SMBv1 and recover files, but we are still very much in the midst of the situation. Here’s a look at what we know and what we can do in an effort to prevent future attacks.
What is the WannaCry Ransomware?
On May 12, 2017, a new strain of the Ransom.CryptXXX (WannaCry) ransomware began spreading globally, affecting a large number of organizations. WannaCry encrypts data files and asks users to pay a ransom in bitcoins. The ransom note indicates that the payment amount will be doubled after three days. If payment is not made after seven days, the encrypted files will be deleted.
We have learned that the bitcoin accounts have been abandoned, and there never was an automated decryption process, so victims should not pay the ransom. Recovery from backups are the best course of action.
How Did WannaCry Spread?
WannaCry has the ability to spread itself within corporate networks, without user interaction, by exploiting a known vulnerability in Microsoft Windows. Computers that do not have the latest Windows security updates applied are at risk of infection.
According to Microsoft, “A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.”
How is WannaCry Stopped?
Applying the most recent Microsoft patches to environments will help protect computers from WannaCry infections. Another immediate remediation plan is to disable the specific system protocol known as SMBv1 to mitigate the risk of infection in relation to WannaCry.
Lessons Learned from WannaCry?
Experts warn the WannaCry may not be over just yet so we’ll tread lightly on ‘lessons’ learned but there are a few we can share: